Related companies

Majority of companies under-spending on security report says

New research from IT PCG says that companies are under-spending on security, but could significantly improve security by focus on best practice, not spending

By Mark Sutton

Wed 11 Mar 2009 12:00 AM

New research from the IT Policy Compliance Group (IT PCG) shows that more than 68% of companies are under-spending on information security relative to the financial risk.

The IT PCG, which is dedicated to developing research and data to help companies meet policy and compliance goals, says that organizations are under-spending relative to the risks that they face, but that by implementing best practices, they can drastically improve their security exposure without major expenditure.

The research, which covered 2,600 companies, mainly in the US, found that companies with the best practices of IT governance experienced up to 149 times less cost from data loss, theft and business downtime than those with the worst practices.

The practices that were rated as highest priorities among the best performing companies included leveraging a senior management team to manage risk; prioritizing risks, improving controls, and automating procedures; continuously assessing controls and risks; leveraging technical controls, policies, and IT change management and comprehensive reporting.

The best performing companies experienced fewer than three losses or thefts of sensitive information each year, less than seven hours of business downtime, and fewer than three audit-failing deficiencies, against more than fifteen losses or thefts of data each year, 80 or more hours of business downtime from IT failures, and more than fifteen audit-failing deficiencies for the worst performing 19% of companies. The best performing companies also spending between 35% and 52% less on audit fees and expenses.

Errol Rhoden, Regional Specialist Manager, Symantec IRM, one of the sponsors of the research said: “Like an insurance deductible, all organizations are willing to sustain some level of financial risk and loss from theft of customer data or some level of business downtime from IT disruptions. However, the research findings show that an organization’s loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high.”

“Firms can either wait until an emergency pushes them to reprioritize, or they can decide that it is in their best interests to institute these industry proven practices,” he added.